problem with setting nat

Bartek W. aka Mastier mistrzipan at gmail.com
Tue Aug 23 10:23:56 UTC 2011 

W dniu 23.08.2011 11:48, Sara Khanchi pisze:
>>> lan(11.11.11.0/24) --|switch|-- |(.1) gw (.64)| --|switch|--
>>> upstream(172.16.10.x/16)
>>> nat pool address: 172.16.10.1-172.16.10.63
>>> nat pool address is on the same network of upstream device.
>>>
>>> May be I don't understand you well. in your first post you've mentioned
>>> that
>>> I should define an static route on upstream device so it would send
>>> packets
>>> destined for natted address to the gw. In this post you've talked about
>>> defining static route on gw to the upstream? could you explain me more
>>> about
>>> your suggestion of using static routes instead of proxy-arp solution?
>>>
>>> however, in the above topology, there is no need to define a static route
>>> on
>>> upstream device (they are on the same network) in normal condition so it
>>> should be applicable when nat is used on gw, right? what's the solution
>>> then?
>>> ______________________________**_________________
>>> freebsd-pf at freebsd.org mailing list
>>> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf<http://lists.freebsd.org/mailman/listinfo/freebsd-pf>
>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org<freebsd-pf-unsubscribe at freebsd.org>
>>> "
>>>
>> I completely don't see the point of using arp-proxy at all. Can you enlight
>> me ? You need to connect two networks, also is there any point of using nat
>> also ? Instead of just to route traffic between them, unless one of them is
>> Internet or some MAN/WAN network.
>>
>> As Olli mentioned, you need to add route if you don't want put nat address
>> on the interface. I don't know any ARP proxy software for freebsd, because
>> I've never used. So, ok, if Olli was that kind to clear things out, seems to
>> have better experience in that matters.
>>
>> Btw. Sara, please, possibly use "Answer in list" instead of "Answer to me
>> with Cc to list" in your mail client :-) Or just send back to
>> freebsd-pf at freebsd.org. Thanks.
>>
>>
>> reebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf<http://lists.freebsd.org/mailman/listinfo/freebsd-pf>
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org<freebsd-pf-unsubscribe at freebsd.org>
>> "
>>
>> ______________________________**_________________
>> freebsd-pf at freebsd.org mailing list
>> http://lists.freebsd.org/**mailman/listinfo/freebsd-pf<http://lists.freebsd.org/mailman/listinfo/freebsd-pf>
>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@**freebsd.org<freebsd-pf-unsubscribe at freebsd.org>
>> "
>>
>
> I've just put an example in previous post to clarify my purpose. The gw
> system in the sample, is possibly a stub router connects a network to lets
> say, internet. What I actually want to figure out is that when I define nat
> on the stub router, without any need to define static routes on other
> systems, would it be possible to get nat works properly as what happens in
> cisco stub router using nat?

it seems that automatically makes arp proxy. But this is.. an extra. 
Actually not necesarry, unless you badly want arping everyone and L2 
access between networks. Cisco is sooo pro. Don't be surprised that 
opensource word doesn't have "out-of-the box features", which are 
provided by Cisco, to be "more pro".

> According what is discussed here, I believe the only way is to use arp-proxy
> for the pool addresses. In this way, there is no difference for other
> systems that stub router is using nat or not? It's the duty of nat router to
> handle the consequences of natting (reply to responses to the natted
> addresses that are not available really). I think may be adding entries to
> arp table using arp command do the proxy-arping.

if host ask for reverse arp, like, ok I got in my arp table address 
xx:xx:xx:xx:xx:xx (hex symbols only ;) ). It came from different 
network, but, I still got because there was some arp proxy magic. If 
not, the packet got IP address from the right host and MAC from gateway. 
What a big deal ? This is how it works.
For a purpose of network scanning/monitoring between two networks, of 
course, arp proxy would be helpful, because in other way, you cannot 
definitely say that host is on/off. But for that reason ICMP protocol 
was created to make the hosts respond on layer 3. If hosts does not 
respond to echo request, the nearest gateway/router can send ICMP packet 
back "Destination host unreachable". Depending on router firewall 
behaviour.
For example, some "strange network operator", set static arp of router 
(79.110.195.x ) for unused IP, here is the example. What happens then:

$ ping 79.110.199.y
PING 79.110.199.y (79.110.199.y) 56(84) bytes of data.
 From 79.110.195.x icmp_seq=1 Time to live exceeded
 From 79.110.195.x icmp_seq=2 Time to live exceeded
 From 79.110.195.x icmp_seq=3 Time to live exceeded
 From 79.110.195.x icmp_seq=4 Time to live exceeded

The packets are looped on router until TTL falls down to zero.

> As I understand and not sure my understanding is correct, Olli suggests to
> define static routes on upstream router to send packets destined for pool
> addresses to the gw. In this scenario, the nat process is not transparent
> any more and the upstream system should be aware of it and supports it by
> adding static routes which is undesirable.

I don't think so, why NAT *must* be transparent ? Look at the Internet, 
how do you know that some public IP address either PI or PA is gateway 
or the leaf on the network tree. Unless you own/manage both sides of nat 
you make them behave the most desired way.

>
> p.s. I've used the "reply all" button in gmail and it sets the to and cc
> fields itself. sorry if this  bothers you. I will take care of it :)
In mailing list, you just use answer, because everyone will get it, 
because mailing list software will "spread the word" through all 
subscribed :-) I don't use gmail webclient on daily basis, but I assumed 
that clicking "Answer" to mail like mein now will add the 
"freebsd-pf at freebsd.org" address (only!) as a receiver straight away.

> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list